Email delivery questions?

[killmasta93]

Hi,
I was wondering if someone else has had this issue before. recently getting alots of this
my question is, are the attackers using pmg as a relay? or something? i thought it would reject and not a mail delivery report? Also not sure why so many deferred email

https://ibb.co/xSwDvnB

This is the mail system at host pmg.mydomain.local.

I'm sorry to have to inform you that your message could not
be delivered to one or more recipients. It's attached below.

For further assistance, please send mail to postmaster.

If you do so, please include this problem report. You can
delete your own text from the attached returned message.

                   The mail system

<antonio-349@e.anonymous-hackers-group.ga>: Host or domain name not found. Name
    service error for name=e.anonymous-hackers-group.ga type=AAAA: Host not
    found

then seconds later i get this

Proxmox Notification:

Sender:   antonio-349@e.anonymous-hackers-group.ga
Receiver: info@mydomain.com
Targets:  info@mydomain.com

Subject: =?UTF-8?Q?This=20is=20my=20last=20warn?==?UTF-8?Q?ing=20inf?= =?UTF-8?Q?o@mydomain.com!?=


Matching Rule: Block Viruses

Rule: Block Viruses
  Receiver: info@mydomain.com
  Action: modify field: subject:SPAM: =?UTF-8?Q?This=20is=20my=20last=20warn?==?UTF-8?Q?ing=20inf?= =?UTF-8?Q?o@mydomain.com!?=

  Action: Move to quarantine.
  Action: notify sistemas@mydomain.com
  Action: notify antonio-349@e.anonymous-hackers-group.ga


Virus Info: Sanesecurity.Phishing.Fake.Coin.27561.UNOFFICIAL (clamav)

Spam detection results:  7
DCC_CHECK                 1.1 Detected as bulk mail by DCC (dcc-servers.net)
KAM_ASCII_DIVIDERS        0.8 Spam that uses ascii formatting tricks
KAM_LAZY_DOMAIN_SECURITY      1 Sending domain does not have any anti-forgery methods
SCHAALIT_HEADER_6014        5 schaal @it Spam Header-6014

 

[heutger]

Looks like someone is faking your sender domain and you get now the mails back, "you" have sent. There is nothing you can do against, you may use SPF and hope, that the receiving server will check for it and take sure, that this mail isn't from you, so they won't bounce back.

 

[killmasta93]

Thanks for the reply, is there a way to block masked Email address? lets say the attacker masks the email address mydomain.com but in reality its attacker.com, Currently have working SPF, on a side question on the rules i see the option to notify sender when a virus is sent but i think that does not work. I did see the option milter reject from your tutorials would that count as a reject?

 

[heutger]

I'm unsure, which, but there was a posting in the forum about masked addresses (where from is overwritten), you can use RegEx therefor, it's explained in this posting, you need to search. However, the issue above is a backscatter mail, so beside SPF you can't do anything against that. About notify I saw, you have a posting open, I'm unsure on the possible tags, usually the sender won't be notified about sending a virus, if it's outgoing maybe it's interesting, but usually the admin should know about as the user, if he sent a virus, doesn't know, how to prevent and what to do, so it's better just to notify the admin. Milter is doing valid rejects instead of silent drops, that's right.

 

[killmasta93]

Thanks for the reply, im going to look at that forum post to find out. as for the milter reject, it rejects an email and sends back to the person who sent it from the other domain? Thats one thing i miss from scrolloutf1 if someone was in a blacklist such as in rats ,scrolloutf1 would reject it back to the sender and if he was blacklisted on scrolloutf1 locally also would reject it notifying the sender. as for your tutorial would this apply this concept? while reading the only draw back is tracking center doesn't show such mails as well as they won't be included in the statistics.

Thank you

 

[heutger]

No, that's a NDR and that is, what I try to prevent with milter reject, this one rejects the message at the connection level, the mail is coming in, so it says in this dialogue "Go away with your message, that's spam" (in the sense of that). Blacklist reject need to be done via Shell on Postfix level, you need to use access rules, header and body checks therefor. Or you need to reach such a high score, that milter reject will reject such messages via SpamAssassin. My tutorial apply this concept partially. I currently await response from @tom , maybe http://www.postfix.org/SMTPD_PROXY_README.html will also work without the requirement to use milter reject and can only be done by changing the behavior of PMG-SMTP-Filter from post-queue to pre-queue.

 

[killmasta93]

Thanks for the reply, not sure what NDR stands for but if i understood correctly on proxmox blacklist drops silently instead of alerting (what used to do scrolloutf1) and your Milter reject if its spam on a high score around 10 and above,it rejects instead of silent keeping?

Thanks for the reply

 

[heutger]

Non Delivery Report (NDR) and yes, that's what I said.

 

[killmasta93]

Thanks for the reply, would it also reject if i put it on the blacklist a domain? or if the email does not exist?

 

[heutger]

Thanks for the reply, would it also reject if i put it on the blacklist a domain? or if the email does not exist?

If you use postfix blacklists yes, if you use PMG rules/GUI blacklists no. If the recipient does not exist and you activated the verify feature in the GUI and on all mail servers behind PMG yes, if you want to check the sender mail address, you can configure such behavior in the postfix main.cf.in template, however, it’s unsure, if that works always and well, I wouldn’t use this setting as it depends on the sending server being able to check the sender addresses and many doesn’t allow that as it’s also able to check recipients for spam then as well.